felschr/nixos-config
1
1
Fork 0
Code Issues Pull requests Actions Packages Projects Releases Wiki Activity

feat: add hardened module

Browse source
This commit is contained in:
Felix Schröter 2020-08-14 23:19:21 +02:00
parent d4037ce717
commit 3a95098280
No known key found for this signature in database
GPG key ID: 910ACB9F6BD26F58
3 changed files with 25 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
hardware/base.nix
View file

@ -14,7 +14,6 @@
boot.supportedFilesystems = [ "ntfs" ]; boot.supportedFilesystems = [ "ntfs" ];
boot.kernelPackages = pkgs.linuxPackages_latest; boot.kernelPackages = pkgs.linuxPackages_latest;
boot.loader.systemd-boot.enable = true; boot.loader.systemd-boot.enable = true;
boot.loader.systemd-boot.editor = false;
boot.loader.efi.canTouchEfiVariables = true; boot.loader.efi.canTouchEfiVariables = true;
services.smartd.enable = true; services.smartd.enable = true;

1
system/default.nix
View file

@ -2,6 +2,7 @@
{ {
imports = [ imports = [
./hardened.nix
./i18n.nix ./i18n.nix
./nix.nix ./nix.nix
./vpn.nix ./vpn.nix

24
system/hardened.nix Normal file
View file

@ -0,0 +1,24 @@
{ config, pkgs, lib, ... }:
# utilises some of the measures from
# <nixpkgs/nixos/modules/profiles/hardened.nix>
with lib;
{
boot.loader.systemd-boot.editor = mkDefault false;
nix.allowedUsers = mkDefault [ "@users" ];
# causes Firefox & Tor Browser segfaults
# environment.memoryAllocator.provider = mkDefault "scudo";
# environment.variables.SCUDO_OPTIONS = mkDefault "ZeroContents=1";
# mullvad-daemon is blocked by one of these measures
# security.hideProcessInformation = mkDefault true;
# security.lockKernelModules = mkDefault true;
# security.protectKernelImage = mkDefault true;
security.apparmor.enable = mkDefault true;
}